Thinking in a Simple Way

搭好梯子再上来 https://simpleface.wordpress.com

Category Archives: Web Server and Web Technologies

How to Install Apache 2.4.2 from Source on CentOS 6.2 with SSL


This file ‘s origin is from :http://www.thegeekstuff.com/2012/05/install-apache-2-on-centos-6/

I found this tutorial is very helpful for me, you i save it to my blog ,in order to learn it .

If you try to follow the how to install Apache with SSL article that we discussed a while back, you’ll face an issue during “make” because of version compatibility between Apache 2.4.4 and APR utilities (Apache Portable Runtime Library) that comes with CentOS 6.

We’ve explained in this article how to solve that issue to get the latest Apache working on CentOS or RedHat.

Make sure you have gcc and openssl-devel installed.

# yum install gcc
# yum install openssl-devel

You also need “Apache Portable Runtime Library” APR to install Apache from source.

You’ll already have “apr” and “apr-util” package installed. Install the apr-devel and apr-util-devel packages.

# yum install apr-devel
# yum install apr-util-devel

Note: In our case (because of the version compatibility issues), we’ll be downloading these and installing it manually later. But, let us go with the flow for now and see what happens when you try to do it this way.

Download Apache

Download Apache from httpd.apache.org. The current stable release is 2.4.2.

Once you get the direct URL to download the latest stable version of Apache, use wget as shown below to download it directly to you server.

cd /usr/src
wget http://mirror.nyi.net/apache//httpd/httpd-2.4.2.tar.gz
tar xvfz httpd-2.4.2.tar.gz

Install Apache with SSL/TLS

View all available Apache installation and configuration options as shown below.

cd httpd-2.4.2
./configure --help

To install an Apache module, you would typically say –enable-{module-name}. For example, to install SSL with Apache, it is –enable-ssl. To install ldap module, it is –enable-ldap.

To uninstall any default module that comes with Apache, you would typically say –disable-{module-name}. For example, to disable basic authentication in Apache, it is –disable-auth-basic

In this example, we will install Apache with all default modules, with addition of –enable-ssl (to install mod_ssl for SSL support), and –enable-so, which helps to load modules in Apache during run-time via the Dynamic Shared Object (DSO) mechanism, rather than requiring a recompilation.

./configure --enable-ssl --enable-so
make
make install

Note: By default the above installs Apache under /usr/local/apache2. If you like to change this location, use –prefix option in the ./configure.

Fixing APR Utility Error Messages

You might’ve not faced this problem while installing older version of Apache as we discussed a while back.

When you execute the “make”, you might get “rotatelogs.c:(.text+0x5ed): undefined reference to `apr_file_link’” error message if you are doing this on CentOS 6.2 as shown below.

# make
rotatelogs.c:298: warning: implicit declaration of function âapr_file_linkâ
/usr/lib64/apr-1/build/libtool --silent --mode=link gcc -std=gnu99 -pthread
-o rotatelogs  rotatelogs.lo /usr/lib64/libaprutil-1.la -ldb-4.7 -lexpat -ldb-4.7 
/usr/lib64/libapr-1.la -lpthread
rotatelogs.o: In function `post_rotate':
rotatelogs.c:(.text+0x5ed): undefined reference to `apr_file_link'
collect2: ld returned 1 exit status
make[2]: *** [rotatelogs] Error 1
make[2]: Leaving directory `/usr/src/httpd-2.4.2/support'
make[1]: *** [all-recursive] Error 1
make[1]: Leaving directory `/usr/src/httpd-2.4.2/support'
make: *** [all-recursive] Error 1

This is because on CentOS 6, the latest APR version available through yum installation is 1.3.9 as shown below.

# rpm -qa apr*
apr-1.3.9-3.el6_1.2.x86_64
apr-util-1.3.9-3.el6_0.1.x86_64

However, Apache 2.4.2 needs the latest version of APR (which is currently 1.4.6).

So, go to APR download page and download both apr and apr-util.

cd /usr/src
wget http://mirror.atlanticmetro.net/apache//apr/apr-1.4.6.tar.gz
wget http://mirror.atlanticmetro.net/apache//apr/apr-util-1.4.1.tar.gz
tar xvfz apr-1.4.6.tar.gz
tar xvfz apr-util-1.4.1.tar.gz

Now, you should place this new version of apr and apr-util directories (without the version name in the directory) under “srclib” directory located under the httpd-2.4.2 directory that was created when you uncompressed the downloaded apache software.

In my example, I downloaded the httpd-2.4.2.tar.gz and uncompressed it under /usr/src. So, I need to place the latest apr and apr-util under this directory.

mv apr-1.4.6 /usr/src/httpd-2.4.2/srclib/apr
mv apr-util-1.4.1 /usr/src/httpd-2.4.2/srclib/apr-util

After this is done, we need to configure and make it again. If you execute the ./configure –help, you’ll see the following options that are related to APR

# cd /usr/src/httpd-2.4.2
# ./configure --help
  --with-included-apr     Use bundled copies of APR/APR-Util
  --with-apr=PATH         prefix for installed APR or the full path to apr-config
  --with-apr-util=PATH    prefix for installed APU or the full path to apu-config

If you decide to install the apr-1.4.6 and apr-util-1.4.1 on your system, you need to use “–with-apr” and “–with-apr-util” and provide the path where you installed these utility.

In this example, we didn’t do that. i.e We didn’t install the apr and apr-util that we downloaded. Instead we placed them under the httpd-2.4.2/srclib/apr-util. So, we should use “–with-included-apr” in the ./configure which will use these apr and apr-util only for the apache compilation and installation.

So, let us re-do the ./configure (using –with-included-apr), make and make install as shown below.

./configure --enable-ssl --enable-so --with-included-apr
make
make install

Now, make will not give “rotatelogs.c:(.text+0x5ed): undefined reference to `apr_file_link” error message anymore.

Enable SSL in httpd.conf

Apache configuration file httpd.conf is located under /usr/local/apache2/conf.

Uncomment the httpd-ssl.conf Include line and the LoadModule ssl_module line in the /usr/local/apache2/conf/httpd.conf file.

# vi /usr/local/apache2/conf/httpd.conf
LoadModule ssl_module modules/mod_ssl.so
Include conf/extra/httpd-ssl.conf

View the httpd-ssl.conf to review all the default SSL configurations. For most cases, you don’t need to modify anything in this file.

# vi /usr/local/apache2/conf/extra/httpd-ssl.conf

The SSL certificate and key are required before we start the Apache. The server.crt and server.key file mentioned in the httpd-ssl.conf needs to be created before we move forward.

# cd /usr/local/apache2/conf/extra
# egrep 'server.crt|server.key' httpd-ssl.conf
SSLCertificateFile "/usr/local/apache2/conf/server.crt"
SSLCertificateKeyFile "/usr/local/apache2/conf/server.key"

Create server.crt and server.key file

First, Generate the server.key using openssl.

# cd /usr/src
# openssl genrsa -des3 -out server.key 1024

The above command will ask for the password. Make sure to remember this password. You need this while starting your Apache later.

Next, generate a certificate request file (server.csr) using the above server.key file.

# openssl req -new -key server.key -out server.csr

Finally, generate a self signed ssl certificate (server.crt) using the above server.key and server.csr file.

# openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt

After you’ve done with the above steps, you’ll see the following three files under /usr/src

# ls server*
server.crt  server.csr  server.key

Copy the server.key and server.crt file to appropriate Apache configuration directory location.

cp server.key /usr/local/apache2/conf/
cp server.crt /usr/local/apache2/conf/

Start the Apache

If you are getting the below error message, make sure to uncomment the line shown below in httpd.conf

# /usr/local/apache2/bin/apachectl start
AH00526: Syntax error on line 51 of /usr/local/apache2/conf/extra/httpd-ssl.conf:
Invalid command 'SSLCipherSuite', perhaps misspelled or defined by a module not included in the server configuration

# vi /usr/local/apache2/conf/httpd.conf
LoadModule ssl_module modules/mod_ssl.so

If you are getting the below error message, make sure to uncomment the line shown below in httpd.conf

# /usr/local/apache2/bin/apachectl start
AH00526: Syntax error on line 76 of /usr/local/apache2/conf/extra/httpd-ssl.conf:
SSLSessionCache: 'shmcb' session cache not supported (known names: ).
 Maybe you need to load the appropriate socache module (mod_socache_shmcb?).

# vi /usr/local/apache2/conf/httpd.conf
LoadModule socache_shmcb_module modules/mod_socache_shmcb.so

Finally, this will prompt you to enter the password for your private key before starting up the apache.

# /usr/local/apache2/bin/apachectl start
Apache/2.4.2 mod_ssl (Pass Phrase Dialog)
Some of your private key files are encrypted for security reasons.
In order to read them you have to provide the pass phrases.

Server www.example.com:443 (RSA)
Enter pass phrase:

OK: Pass Phrase Dialog successful.

Verify that the Apache httpd process is running in the background

# ps -ef | grep http
root   29529     1  0 13:08 ?     00:00:00 /usr/local/apache2/bin/httpd -k start
daemon 29530 29529  0 13:08 ?     00:00:00 /usr/local/apache2/bin/httpd -k start
daemon 29531 29529  0 13:08 ?     00:00:00 /usr/local/apache2/bin/httpd -k start
daemon 29532 29529  0 13:08 ?     00:00:00 /usr/local/apache2/bin/httpd -k start
root   29616 18260  0 13:09 pts/0 00:00:00 grep http

To stop the apache use apachectl stop.

# /usr/local/apache2/bin/apachectl stop

Use httpd -l to view all the modules that are compiled inside the Apache httpd daemon.

# /usr/local/apache2/bin/httpd -l
Compiled in modules:
  core.c
  mod_so.c
  http_core.c
  event.c

By default Apache SSL runs on 443 port.

Open a web browser and verify that you can access your Apache using https://{your-ip-address}

Apache 防止 DDoS 攻擊


、 mod_evasive 介绍;

mod_evasive 是Apache(httpd)服务器的防DDOS的一个模块。对于WEB服务器来说,是目前比较好的一个防护DDOS攻击的扩展模块。虽然并不能完全防御DDOS攻击,但在一定条件下,还是起到缓服Apache(httpd)服务器的压力。如果配合iptables、硬件防火墙等防火墙设备配合使用,可能有更好的效果。可惜LinuxSir.Org 并没有硬件防火墙,所以是否这种组合效果有更好的效果,我没办法验证。

mod_evasive 的官方地址: http://www.zdziarski.com/blog/wp-content/uploads/2010/02/mod_evasive_1.10.1.tar.gz


2、 mod_evasive 的安装和配置;


2.1 mod_evasive 的下载地址;

mod_evasive_1.10.1.tar.gz


2.2 mod_evasive 的安装;

安装 mod_evasive 之前,你要用安装Apache(httpd)服务器软件包,还要安装httpd-devel或 apache-dev。在Slackware 12.0中,安装httpd软件即可;

对于Apache 1.x 请用下面的编译方法;

#/usr/sbin/apxs -iac mod_evasive.c

对于Apache 2.x 可以用下面的办法;

#tar zxvf mod_evasive_1.10.1.tar.gz
#cd mod_evasive
#/usr/sbin/apxs -i -a -c mod_evasive20.c

注:apxs 用于编译模块工具;如果是用系统自带的软件包,一般位于/usr/sbin目录。如果您是自己编译安装Apache(httpd)的,你应该自己来指定路径;

我们然后修改/etc/ld.so.conf 文件,把编译出来的动态模块的所在位置指定在 ld.so.conf中;比如我用的是Aapche 2.x ,编译完成后,模块mod_evasive20.so 安装到了 /usr/lib/httpd/modules 目录中;那我们就要把 这个目录写入到ld.so.conf中。

#echo "/usr/lib/httpd/modules" >> /etc/ld.so.conf
#ldconfig

注: 具体要与你的系统环境为准,不要照搬照抄,如果你对Linux不太熟的话;


2.3 mod_evasive 的配置;

在编译安装完成后,会自动插入一行到Apache 配置文件中,对于Apache 2.x 版本中,应该在其配置文件中有类似下面的一行;

LoadModule evasive20_module   lib/httpd/modules/mod_evasive20.so

对于Apache 1.x来说,也应该差不多,大体只是路径不同罢了;

然后我们再修改 Apache 的配置文件,配置文件名为httpd.conf;

在Apache v1.x 版本中,要加入;

<IfModule mod_evasive.c>
DOSHashTableSize    3097
DOSPageCount        2
DOSSiteCount        50
DOSPageInterval     1
DOSSiteInterval     1
DOSBlockingPeriod   10
</IfModule>

在Apache v2.x加入;

<IfModule mod_evasive20.c>
DOSHashTableSize    3097
DOSPageCount        2
DOSSiteCount        50
DOSPageInterval     1
DOSSiteInterval     1
DOSBlockingPeriod   10
</IfModule>

如果您不知道把这些插入到哪,用下面的办法做也是可以的;

在/etc目录中创建一个文件,比如mod_evasive.conf;

#touch /etc/mod_evasive.conf

然后把根据自己的Apache版本来加入相应的内容;

接着我们再修改 httpd.conf ,在最后一行加入

Include /etc/mod_evasive.conf

修改完成后,我们要重启Apache服务器;

比如在Slackware 12.0中,Apache 2.x的重启,我们要用到

#/etc/rc.d/rc.httpd restart

在Redhat、Fededora、Debian、Ubuntu、CentOS中的Apache,可以用;

#/etc/init.d/httpd restart

#/etc/init.d/apache restart
sun solaris
bin/ ./apachectl restart

大体上差不多是这样的……


2.4 对mod_evasive测试验证 ;

防DDOS的模块做好后,我们可以要验证,可以用Apache 自带的ab工具,系统默认安装在/usr/sbin目录中;比如;

#/usr/sbin/ab -n 1000 -c 50 http://www.google.com:80/

注:上面的例子的意思是,如果您的服务器是google的WEB服务器,我们要发送数据请求包,总共1000个,每次并发50个;

另外一个测试工具就是mod_evasive的解压包的目录中,有个test.pl ,你可以修改IP地址,然后用

#perl test.pl
如果是学校的服务器,可以使用./test.pl ,如果是本机测试,test.pl文件里默认的为127.0.0.1

是不是有效果,请根据 ab工具或 测试脚本出来的结果来查看;结果如下显示:

HTTP/1.1 200 OK

HTTP/1.1 200 OK

HTTP/1.1 200 OK

HTTP/1.1 200 OK

HTTP/1.1 200 OK

HTTP/1.1 200 OK

HTTP/1.1 200 OK

HTTP/1.1 200 OK

HTTP/1.1 200 OK

HTTP/1.1 200 OK

HTTP/1.1 200 OK

HTTP/1.1 200 OK

HTTP/1.1 200 OK

HTTP/1.1 200 OK

HTTP/1.1 200 OK

#######################################################################

因为我们编译mod_evasive时,用的是默认配置,所以日志被存放在/tmp目录中。如果有DDOS攻击,会在/tmp产生日志。日志的文件是以 dos-开头的;


3、mod_evasive 的高级配置;

如果想更改一些适合自己的参数,有些必要的参数,并不是通过配置文件修改就一下起作用的,我们要修改源码包中的 mod_evasive.c(Apache 1.x用之) 或 mod_evasive20.c (Apache 2.x用之);

#define DEFAULT_HASH_TBL_SIZE   3097ul  // Default hash table size
#define DEFAULT_PAGE_COUNT      2       // Default maximum page hit count per interval
#define DEFAULT_SITE_COUNT      50      // Default maximum site hit count per interval
#define DEFAULT_PAGE_INTERVAL   1       // Default 1 Second page interval
#define DEFAULT_SITE_INTERVAL   1       // Default 1 Second site interval
#define DEFAULT_BLOCKING_PERIOD 10      // Default for Detected IPs; blocked for 10 seconds
#define DEFAULT_LOG_DIR         "/tmp"  // Default temp directory

比如我们改改其中的数字,根据英文很容易理解。比如修改日志存放目录,就把/tmp改成别的目录。如果您不知道放在哪好,还是用默认的吧;

具体的英文解释请看如下描述:

DOSHashTableSize

—————-

The hash table size defines the number of top-level nodes for each child’s

hash table. Increasing this number will provide faster performance by

decreasing the number of iterations required to get to the record, but

consume more memory for table space. You should increase this if you have

a busy web server. The value you specify will automatically be tiered up to

the next prime number in the primes list (see mod_evasive.c for a list

of primes used).

DOSPageCount

————

This is the threshhold for the number of requests for the same page (or URI)

per page interval. Once the threshhold for that interval has been exceeded,

the IP address of the client will be added to the blocking list.

DOSSiteCount

————

This is the threshhold for the total number of requests for any object by

the same client on the same listener per site interval. Once the threshhold

for that interval has been exceeded, the IP address of the client will be added

to the blocking list.

DOSPageInterval

—————

The interval for the page count threshhold; defaults to 1 second intervals.

DOSSiteInterval

—————

The interval for the site count threshhold; defaults to 1 second intervals.

DOSBlockingPeriod

—————–

The blocking period is the amount of time (in seconds) that a client will be

blocked for if they are added to the blocking list. During this time, all

subsequent requests from the client will result in a 403 (Forbidden) and

the timer being reset (e.g. another 10 seconds). Since the timer is reset

for every subsequent request, it is not necessary to have a long blocking

period; in the event of a DoS attack, this timer will keep getting reset.

########################################################################

如果您在这里更改了参数,不要忘记修改Apache 配置文件中关于mod_evasive 的参数;

如果您想加入一些其它的参数,请查阅源码包中的README,里面有详细说明,大多来说没太大的必要……

这个文件相当重要,如果您想更改某些设置,就要修改这个文件……

ok,基本上这个module的介绍就这里了

How to configure your logfiles and logformat of Apache


The server error log, whose name and location is set by the ErrorLog directive, is the most important log file. This is the place where Apache httpd will send diagnostic information and record any errors that it encounters in processing requests. It is the first place to look when a problem occurs with starting the server or with the operation of the server, since it will often contain details of what went wrong and how to fix it.
The format of the error log is relatively free-form and descriptive. But there is certain information that is contained in most error log entries. For example, here is a typical message.

[Wed Oct 11 14:32:52 2000] [error] [client 127.0.0.1] client denied by server configuration: /export/home/live/ap/htdocs/test

Common Log Format

A typical configuration for the access log might look as follows.

LogFormat "%h %l %u %t \"%r\" %>s %b" common
CustomLog logs/access_log common

This defines the nickname common and associates it with a particular log format string. The format string consists of percent directives, each of which tell the server to log a particular piece of information. Literal characters may also be placed in the format string and will be copied directly into the log output. The quote character (") must be escaped by placing a backslash before it to prevent it from being interpreted as the end of the format string. The format string may also contain the special control characters “\n” for new-line and “\t” for tab.

The CustomLog directive sets up a new log file using the defined nickname. The filename for the access log is relative to the ServerRoot unless it begins with a slash.

The above configuration will write log entries in a format known as the Common Log Format (CLF). This standard format can be produced by many different web servers and read by many log analysis programs. The log file entries produced in CLF will look something like this:

127.0.0.1 - frank [10/Oct/2000:13:55:36 -0700] "GET /apache_pb.gif HTTP/1.0" 200 2326

Each part of this log entry is described below.

127.0.0.1 (%h)
This is the IP address of the client (remote host) which made the request to the server. If HostnameLookups is set to On, then the server will try to determine the hostname and log it in place of the IP address. However, this configuration is not recommended since it can significantly slow the server. Instead, it is best to use a log post-processor such as logresolve to determine the hostnames. The IP address reported here is not necessarily the address of the machine at which the user is sitting. If a proxy server exists between the user and the server, this address will be the address of the proxy, rather than the originating machine.
- (%l)
The “hyphen” in the output indicates that the requested piece of information is not available. In this case, the information that is not available is the RFC 1413 identity of the client determined by identd on the clients machine. This information is highly unreliable and should almost never be used except on tightly controlled internal networks. Apache httpd will not even attempt to determine this information unless IdentityCheck is set to On.
frank (%u)
This is the userid of the person requesting the document as determined by HTTP authentication. The same value is typically provided to CGI scripts in the REMOTE_USER environment variable. If the status code for the request (see below) is 401, then this value should not be trusted because the user is not yet authenticated. If the document is not password protected, this part will be “-” just like the previous one.
[10/Oct/2000:13:55:36 -0700] (%t)
The time that the request was received. The format is:[day/month/year:hour:minute:second zone]
day = 2*digit
month = 3*letter
year = 4*digit
hour = 2*digit
minute = 2*digit
second = 2*digit
zone = (`+' | `-') 4*digit

It is possible to have the time displayed in another format by specifying %{format}t in the log format string, where format is either as instrftime(3) from the C standard library, or one of the supported special tokens. For details see the mod_log_config format strings.

"GET /apache_pb.gif HTTP/1.0" (\"%r\")
The request line from the client is given in double quotes. The request line contains a great deal of useful information. First, the method used by the client is GET. Second, the client requested the resource /apache_pb.gif, and third, the client used the protocol HTTP/1.0. It is also possible to log one or more parts of the request line independently. For example, the format string “%m %U%q %H” will log the method, path, query-string, and protocol, resulting in exactly the same output as “%r“.
200 (%>s)
This is the status code that the server sends back to the client. This information is very valuable, because it reveals whether the request resulted in a successful response (codes beginning in 2), a redirection (codes beginning in 3), an error caused by the client (codes beginning in 4), or an error in the server (codes beginning in 5). The full list of possible status codes can be found in the HTTP specification (RFC2616 section 10).
2326 (%b)
The last part indicates the size of the object returned to the client, not including the response headers. If no content was returned to the client, this value will be “-“. To log “0” for no content, use %B instead.

Combined Log Format

Another commonly used format string is called the Combined Log Format. It can be used as follows.

LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\"" combined
CustomLog log/access_log combined

This format is exactly the same as the Common Log Format, with the addition of two more fields. Each of the additional fields uses the percent-directive %{header}i, where header can be any HTTP request header. The access log under this format will look like:

127.0.0.1 - frank [10/Oct/2000:13:55:36 -0700] "GET /apache_pb.gif HTTP/1.0" 200 2326 "http://www.example.com/start.html" "Mozilla/4.08 [en] (Win98; I ;Nav)"

The additional fields are:

"http://www.example.com/start.html" (\"%{Referer}i\")
The “Referer” (sic) HTTP request header. This gives the site that the client reports having been referred from. (This should be the page that links to or includes /apache_pb.gif).
"Mozilla/4.08 [en] (Win98; I ;Nav)" (\"%{User-agent}i\")
The User-Agent HTTP request header. This is the identifying information that the client browser reports about itself.

Multiple Access Logs

Multiple access logs can be created simply by specifying multiple CustomLog directives in the configuration file. For example, the following directives will create three access logs. The first contains the basic CLF information, while the second and third contain referer and browser information. The last twoCustomLog lines show how to mimic the effects of the ReferLog and AgentLog directives.

LogFormat "%h %l %u %t \"%r\" %>s %b" common
CustomLog logs/access_log common
CustomLog logs/referer_log "%{Referer}i -> %U"
CustomLog logs/agent_log "%{User-agent}i"

This example also shows that it is not necessary to define a nickname with the LogFormat directive. Instead, the log format can be specified directly in theCustomLog directive.